Your data, going on sale soon

Information being collected for the unique identification project will be sold back to the government through specially created, privatised, for profit utilities

Technology has created the potential to record, collate, converge, retrieve, mine, share, profile and otherwise conjure with data. Data is the new property. The Unique Identification Authority of India (UIDAI), with its push to enrol the whole Indian resident population, signals the emergence of an information infrastructure facilitated by the government — it finances the “start up,” and uses its authority to coerce people to get on to the database, and then handed over to corporate interests when it reaches a “steady state.”

Allowing private entry

The UIDAI was set up by an executive notification dated January 28, 2009. The Planning Commission was the nodal agency “for providing logistics, planning and budgetary support” and to “provide initial office and IT infrastructure.” As part of its “role and responsibilities,” the UIDAI was to “issue necessary instructions to agencies that undertake creation of databases, to ensure standardisation of data elements that are collected and digitised and enable collation and correlation with UID [Unique Identification Number/Aadhaar] and its partner databases.” It was to “take necessary steps to ensure collation of NPR [National Population Register] with UID”. And, the UIDAI “shall own and operate” the UID database.

When the state holds data it collects in its transactions with its residents, it holds the data in a fiduciary capacity. It does not own the data.

The framework for ownership of data was set out by the Nandan Nilekani-chaired Technology Advisory Group for Unique Projects (TAG-UP), which gave its report in January 2011. While the Nilekani committee directly addressed five projects — Goods and Services Tax Network, Tax Information Network, Expenditure Information Network, National Treasury Management Agency and the New Pension System — it recommended that the suggested framework “be more generally applicable to the complex IT-intensive systems which are increasingly coming to prominence in the craft of Indian public administration.”

As understood by TAG-UP, the government has two major tasks: policymaking and implementation. Implementation is weak, and rather than spend time finding correctives, the committee found in this an opportunity for private business interests. So, TAG-UP suggested the setting up of National Information Utilities (NIUs).

“NIUs would be private companies with a public purpose: profit-making, not profit maximising.” The government would have “strategic control,” that is, it would be focused on how it would achieve the objectives and outcomes, leaving the NIU “flexible” in its functioning. Total private ownership should be at least 51 per cent. The government should have at least 26 per cent shares. Once it reaches steady state, the government would be a “paying customer.” As a paying customer, “the government would be free to take its business to another NIU”; though, given the “large upfront sunk-cost, economies of scale, and network externalities from a surrounding ecosystem (and what this means is not explained any further), NIUs are ... essentially set up as natural monopolies.” To get a buy-in from the bureaucracy, “in-service officers” are to be deployed in the NIUs and are to be given an allowance of 30 per cent of their remuneration.

Government as customer

“Once the rollout is completed,” the Nilekani committee blithely states, “the government’s role shifts to that of a customer.”

In sum, what emerges from the TAG-UP report is this: governmental data and databases are to be privatised through the creation of NIUs which will then “own” the data. NIUs will be natural monopolies. NIUs will use the data and the database for profit-making and not profit-maximising, and the definition of these terms are indeterminate.

Government will support the NIUs through funding them till they reach a steady state, and by doing what is needed to gather the data and create the database using governmental authority. Once the NIU reaches steady state, the government will reappear as the customer of the NIU. Government officers will be deployed in NIUs and be paid 30 per cent over their salaries, which, even if the report does not say it explicitly, is expected to forge loyalties and vested interests. The notion of holding citizens’ data in a fiduciary capacity cedes place to the vesting of ownership over citizens’ data in an entity which will then have the government as their customer.

This notion of private companies owning our data has not been discussed with state governments, nor with people from whom information is being collected.

Unexplained

We might have treated the TAG-UP report as another report without a future; except, in the Budget presented by Mr. Pranab Mukherjee as Finance Minister in March 2012, he announced that the “GSTN (Goods and Sales Tax Network) will be set up as a National Information Utility.” The NIU was not explained to Parliament, and no one seems to have raised any questions about what it is.

There is disturbing evidence that the UIDAI provided the basis for the NIU. The report is littered with references to the UIDAI, and suggests that the way the UIDAI has been functioning is a model for the NIU. The Biometrics Standards Committee set up by the UIDAI in September 2009 and which gave its report in December 2009 declared that the UIDAI intended to “create a platform to first collect identity details of residents, and subsequently perform identity authentication services that can be used by government and commercial service providers.” The “UIDAI Strategy Overview,” in April 2010, estimated that it would generate Rs.288.15 crore in annual revenue through address and biometric authentication once it reaches a steady state, where authentication services for new mobile connections, PAN cards, gas connections, passports, LIC policies, credit cards, bank accounts and airline check-in, would net this profit. Till then, it is to be funded by the government. Once that stage is reached, it will be a private, profit-making entity and the government, like other commercial service providers, will become its customer.

Data for a price

Mr. Nilekani calls it “open architecture”; that is, applications can be thought up as the business grows; there are no limits or contours within which it should be used. He has repeatedly described the UID as a unique number, which will be universal and ubiquitous; the latter two indicate that, despite being marketed as voluntary, all activities and services are intended to be made dependent on the UID for all persons, ensuring steady business for the enterprise. The UID enrolment form has a column for “information sharing consent.” This will allow the UIDAI to part with the data, both demographic and biometric, for a price. This explains why there has been so little enthusiasm for a law on the subject. A Bill was introduced in Parliament close to two years after the project was started. When the Parliamentary Standing Committee rejected the Bill and the project in December 2011, the law was consigned to oblivion.

The UIDAI will be a business entity, governed by the Companies Act; not bound by a law that will recognise the fiduciary role of the state, and which will facilitate, and not penalise, a citizen for not having an identity document or number.

The 2009 notification that set up the UIDAI says that the UIDAI is to “take necessary steps to ensure collation of NPR with UID.” Registering in the NPR is compulsory under the Citizenship Act and the Citizenship Rules of 2003. Although biometrics is not within the mandate of the NPR, they have also been collected in the process of building up the NPR database. So, the data mandated to be given to the NPR is being handed over to the UIDAI to become the property of the UIDAI, and we don’t even know it!

(Usha Ramanathan is an independent law researcher and has been following the policy and practices of the UIDAI since 2009.)

If the personal data collected qua every citizen is to be sold it will have very disasterous adverse ramification in as much as persons will get to know your bank accounts,your finger prints,your identity in short and then with all the frauds and cheating that is happening daily in our country they can play havoc with your lives.the parliament and the govt.must ensure that the data is not shared or is not available to be sold.you may also start getting crank calls.please take this matter very seriously.

from:
ranjit kumar

Posted on: May 23, 2013 at 20:47 IST

Indeed the Indian Parliament needs to debate and deliberate and address issues, once it is propelled by society which is presently too pre-occupied by "corruption"; wonder when though!
However, we need to also seek amendment of our constitution to ensure that our fundamental rights, at least (right to privacy) are also ensured and gauranteed vis-a-vis other persons (natural as well as juridical). Wonder, if at all, freedoms hard fought can so easily be compromised, i.e. without debate.

from:
Abid Hussain

Posted on: May 22, 2013 at 17:16 IST

This is quite alarming and dangerous.

from:
Roopesh P Raj

Posted on: May 22, 2013 at 10:34 IST

They sold you dear! This government never does a thing unless it profits the netas and babus!

from:
Bhaskar Ganti

Posted on: May 22, 2013 at 07:56 IST

The sheer number of citizens of different kinds is the only security that we have in India. It is a terrible mess and someone called nandan or whatever is allowed to collect and sell personal data directly to the required people. It is shame on all of us. Smart people dint sign for it in the beginning but there is no choice for you it is compulsory for every service including lpg cylinder

from:
santosh

Posted on: May 22, 2013 at 01:54 IST

There is really no secret information in Aadhar card. Are you concerned about the PAN card, driving license or passport? What about the data in those cases?
What can one do knowing my age, sex etc?

from:
Kannan

Posted on: May 21, 2013 at 22:08 IST

It was always feared that this database would be misused and even abused one day. Now the question is if this can be stopped. Is the government turning into a predator?

from:
Javed Mohd

Posted on: May 21, 2013 at 19:58 IST

Interesting article...but frankly, its a lot of hot air. By merely criticizing a path-breaking initiative, without suggesting alternatives the author merely reinforces her position as a "UIDAI baiter". If the National Information Utilities (NIUs) are flawed, what might be a better mechanism? Also, much is being made out of the fiduciary capacity of the state. If the state does not take ownership of the data it collects, who will?

from:
Dinakar R

Posted on: May 21, 2013 at 18:43 IST

No problem. In fact all the developed countries does this. Only thing is in India we take privacy of citizens lightly. So assured of this privacy of data there is nothing wrong in using it for planning developmental projects.

from:
Kiran

Posted on: May 21, 2013 at 17:58 IST

Post Office want AADHAAR card, Banks want PAN card. Everyone wanting something from common man. However, there is a great conflict of interest between NPR and AADHAAR and their uniqueness too is out of my understanding. The eye-washer article tells us that even flagship schemes of Govt. are not free from ambiguity. I urge our Govt. to endeavour for making basic commodities viz. food items, vegetables, medicines, petrol, diesel etc cheaper, so as could come within reach of general public, instead of eerie innovations.

from:
Varun Joshi

Posted on: May 21, 2013 at 17:17 IST

Nothing wrong in sharing the data among government owned public organisations like Banks, Insurance companies etc as they tend to utilise the same for extending benefits under government sponsored or aided programs. What is to be ensured is the veracity of the organisation viz., UIDAI / NIU in holding, owning, or sharing the data with other than governmental organisations or other NGOs as the common man might get deceited or even get apprehended when personal data reaches the wrong hand. It can happen only in India but it should not happen here. The data/statistics collected by UIDAI and its allied agencies should be treated like the Social Security Number of US citizens.Whoever may be the custodian or owner or held in fiduciary capacity the large data of citizens, maintaining sanctity of the data is the need of the hour. The government has to come out with a clarification on this subject issue to avoid ambiguities.

from:
R.V. Baskaran

Posted on: May 21, 2013 at 17:10 IST

My whole town went on a spree to get registered in UIDAI when they conducted the registration camp. Not even one single person expressed the confidentiality or security concerns. And everybody was completely oblivious to the fact that the UIDAI personnel enrolling the data had opted(selected the check box for information sharing consent) that they agree to let the UIDAI sell/share their data to private entities. When I objected to that, they said it is mandatory and without that later I cannot apply for any subsidy like Domestic gas, etc. There should be a PIL against this UIDAI handling/sharing of data. Otherwise, Mr.Nilekani's blurred vision is going to pave way for selling the whole country to private vested interests.

from:
Karthik

Posted on: May 21, 2013 at 15:20 IST

The scheme is not mandatory and it says so itself, so why are LPG subsidies, car driving licences and banking services being linked to this Aadhar scheme? When there are so many proofs available like passport, driver's licence, Post Office residential proof, Bank Passbook and so forth, why yet another scheme that includes biometric data as well? If the scheme is to be eventually forced down the citizen's throat at the cost of inconveniencing him in terms of denial of subsidies and essential services, will the political class, VIPs and the echelon of society be willing to do the same? It is very much possible that this is a scheme to nudge the middle class into complying and use the scheme as a prime point for the UPA's pitch in 2014.

from:
Nikhil

Posted on: May 21, 2013 at 14:28 IST

Dear Usha,
Ever grateful for the informative piece above.
As an individual citizen what can I do to prevent my data being shared. I was not aware of the “information sharing consent” when I went to get myself phtographed for Adhar. Can I ask UIDAI that since I was not aware of the “information sharing consent” my data not be shared.

from:
Ankan Ghosh

Posted on: May 21, 2013 at 14:13 IST

This author has been trying to malign UIDAI scheme for long time. This is yet another attempt.NIU suggestion has never been accepted by Goverment.

from:
Arun

Posted on: May 21, 2013 at 10:39 IST

This is yet another instance of the government utilizing public resources for the ultimate benefit of vested private interests. This one is particularly alarming since in this case the government is planning to willingly part with private and confidential data of a billion strong population after paying for its collection, which is the currency of the information age, without thought to appropriate, comprehensive data security and confidentiality safeguards. In the wrong hands, the UIDAI data, once related and connected to further private data of citizens sure to be collected in the future, can be exploited and the citizens' privacy compromised and violated in unforeseen ways.

from:
Sumit Roy

Posted on: May 21, 2013 at 09:13 IST

While India still has no law or formal Govt definition of, or even a vague agreement on, what this creature is, its potential for harassing Indians seems universally acknowledged by the scum. The latest is the Post Office demanding the Aadhar Card "to help them help you better". The UID is an altogether stupid and dangerous computerized aspect of India's Constitutional Stalinism

from:
S. Suchindranath Aiyer

Posted on: May 21, 2013 at 07:59 IST

I agree that data should not be on sale. Why should it not be compulsary for everyone ? Why is author not stating other alternatives or how to solve this. In last 65 years we have not solved problem of programs reaching the correct people in need. This is trying to address hence we should be open to make this successful. Legislation required can be done if people demands hence we should not be frightened at the start itself.

from:
rajesh kumar n

Posted on: May 21, 2013 at 07:49 IST

Thanks for the informative article, a couple of points beyond the obvous.
1. Companies which are "profit-making, not profit maximising.”
-There goes all economics of business down the drain as per this audaciously wishful thought.
2. Given the fact that the more the agencies involved, the more the complexity, the less the efficiency, the more the 'opportunities' of corruption. The implementation seems corruption centric, however unintentional it may be.

from:
Shahnawaz Abdullah

Posted on: May 21, 2013 at 07:27 IST

Good! Now it is proved that in the backdrop of crony capitalism ushered by the team led by Dr Manmohan Singh,initiated through JMM bribery scheme( otherwise known as bribery scheme), everything in this country is on sale to anybody including our designated enemies!

from:
atis

Posted on: May 21, 2013 at 07:10 IST

The UID project should be looked at as a curious case of public contracting where notions of some bureaucratic grand design, rather than evidence of public benefits drives policy.

By asking the citizen to voluntarily tag his UID to his other identities, UIDAI is effectively shifting the onus of veracity of UID data to the citizen. Recently Banks have asked UIDAI to be liable for reliability of its database which it has refused.

So Banks, Income Tax authorities, PDS authorities, will continue their own due diligence. Meanwhile, it appears that the UIDAI in the happy business of outsourcing responsibility for agency risks to Private Companies, burden of the data veracity to the citizen, and operational success to myriad Govt agencies whose individual efforts towards financial inclusion, cash transfer pilots,minimizing inclusion and exclusion errors neither require UID nor benefit from its existence and expansion at significant cost to the exchequer.

from:
Srinivas Y

Posted on: May 21, 2013 at 06:43 IST

Sharing (indirect handing over or left for stolen) of data, is also suspected in case of bank's or Gas Agency's KYC norms. Life will be very easy for private (read bigger also) sellers. Ways are made for pin-pointed marketing.

from:
kharat

Posted on: May 21, 2013 at 06:17 IST

"When the state holds data it collects in its transactions with its residents, it holds the data in a fiduciary capacity."

Ms.Ramanathan is doing this country great public service by shining the light on questionable citizen data usage policies being legitimized in the name of the poor.

UIDAI gives the contract to the Private operators, and transfers to them the need for responsible conduct towards the citizens whose data is collected. Thus, the scope for errors, misuse of citizen data originates at the citizen interface where agents of the private operators, currently operate with no constraints of service, quality standards or legal frameworks binding them to the citizen whose data they collect invoking the name of the state.

On one hand, the state forces citizens to get a UID, and then leaves them vulnerable in the hands of agents of private operators. In doing so, the Bureaucrats & hacks like Nilekhani are profoundly undermining the faith of public in their ability to govern

from:
Srinivas Y

Posted on: May 21, 2013 at 06:09 IST

I am afraid that Nielkeni's total architecture gives personal data of citizens to a centralized agency, state or otherwise. There is a lotof mischiefin this that any future oligarchy as the UPA @ or NDA even could use this private confidential information to further their own interests and even worse intimidate individuals into submission in pursuits which are totalitarian. Nilekini, just think of this. Social engineering is not the same as corporate idealization and maximization.
The dangers involved are horrific. indeed.